From f86bbb09f8070d7ca1773fa68b1ce02350edc07a Mon Sep 17 00:00:00 2001 From: Piotr Tworek Date: Wed, 24 Jul 2019 17:08:19 +0200 Subject: [PATCH] Fix out of bounds memory read in get_keymap_from_resource. The function reads resource content into a buffer whose size matches the size of the file contents. This buffer does not have an extra byte that would 0 terminate this string. This is by itself is not a problem. Unfortunately the buffer is passed to g_utf8_make_valid function with size argument specified as -1 which means the buffer is supposed to be NULL terminated. The end result is g_utf8_make_valid will read at least 1 byte past "contents" buffer size. Fix this by specifying buffer size when calling g_utf8_make_valid. --- eekboard/eekboard-context-service.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eekboard/eekboard-context-service.c b/eekboard/eekboard-context-service.c index b94821ac..3dc96f1a 100644 --- a/eekboard/eekboard-context-service.c +++ b/eekboard/eekboard-context-service.c @@ -124,7 +124,7 @@ get_keymap_from_resource(const gchar *keyboard_type, gboolean fallback) &bytes_read, NULL, &error)) goto keymap_error; - return g_utf8_make_valid (contents, -1); + return g_utf8_make_valid (contents, size); keymap_error: if (fallback)